Sponsors

Saturday, 28 May 2016

In
previous versions of Exchange, we had option to install the Client
Access server role and the Mailbox server role on separate computers. In
Exchange 2016, the Client Access server role is installed as part of
the Mailbox server role. Client Access server role is not available as a
separate installation option.

A multi-role Exchange server architecture benefits:

Simplified hardware purchasing, maintenance and management of the Exchange servers.

Fewer
physical Exchange servers resulting in less maintenance costs, less
Exchange server licenses, and less rack/floor space, and power
requirements.

Improved
scalability. During a failure, the load on the remaining Exchange
multi-role servers increases only incrementally, hence no adverse effect
on other exchange functions.

Improved resiliency, because a multi-role Exchange server can survive a greater number of Client Access service failures.

Search improvements The local search instance is now can read data from the local mailbox database copy. Hence, no need for passive instances to perform indexing from their Active counterparts.

Office Online Server Preview for Outlook on the web document preview

In
Exchange 2016, Outlook on the web uses Office Online Server Preview to
provide rich preview and editing capabilities for documents. You need to deploy Office Online Server Preview in your on-premises environment if you don't already have it.

MAPI over HTTP is the default for Outlook connections

In
Exchange 2016, MAPI over HTTP is enabled by default, and offers
additional controls, such as the ability to enable or disable MAPI over
HTTP per user, and whether to publish it to external clients.

Friday, 27 May 2016

In order to improve security of ESXi host which is being managed by vCenter server centrally, we enable lockdown mode on ESXi hosts.

ESXi 5.x and prior:

When Lockdown mode is enabled, only the vpxuser has authentication permissions. Other users cannot perform any operations directly on the ESXi host. Lockdown mode forces all operations to be performed through vCenter Server.

When the ESXi host is in lockdown mode, we cannot use vCLI commands, script, or vSphere Management Assistant against the host directly bypassing vCenter Server. External software's or tools like backup agents also might not be able to retrieve or modify information from the ESXi host directly.

ESXi 6.x

With vSphere 6, VMware introduced couple of new concepts into lockdown mode as listed below in order to make it more flexible in nature as compared to its predecessors:

Normal Lockdown Mode

Strict Lockdown Mode

Exception Users

Normal Lockdown Mode

In normal lockdown mode all the direct connections to ESXi servers are blocked.

You can manage ESXi Servers via vCenter Server or the other option is that, we can use the direct console user interface (DCUI). DCUI service is not stopped in Normal lockdown mode.

If the connection to the vCenter Server system is lost, privileged user accounts can log in to the ESXi host’s Direct Console User Interface (DCUI) and exit from lockdown mode.

Only the following accounts can access the Direct Console User Interface:

User accounts in the Exception User list for lockdown mode who have administrative privileges on the host. VMware vSphere 6.0 introduced the Exception User list. Exception users do not lose their privileges when the host enters lockdown mode. We can use the Exception User list to add the accounts of third-party solutions and external applications like backup agents that need to have access to ESXi host directly when the host is in lockdown mode.

Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.

Strict Lockdown Mode

In strict lockdown mode, which is newly introduced in vSphere 6.0, the DCUI service is also stopped.

In the event where connection to vCenter serer is lost and we cannot restore the connection to the vCenter Server system, we will have to reinstall the ESXi host.

If the connection to vCenter Server is lost, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users list is populated.

ESXi Shell and SSH services are independent of lockdown mode. However these services are disabled by default.

When a host is in lockdown mode, users on the Exception Users list can access the ESXi host from the ESXi Shell and through SSH.

Note: DCUI doesn’t have the option of Normal or Strict lockdown mode. When you enable lockdown mode from the DCUI you will get Normal mode by default. Also, If you enable or disable lockdown mode using the Direct Console User Interface, permissions for users and groups on the host are discarded. To preserve these permissions, you can enable and disable lockdown mode using the vSphere Web Client.

Note: If you upgrade a host that is in lockdown mode to ESXi version 6.0 without exiting lockdown mode, and if you exit lockdown mode after the upgrade, all the permissions defined before the host entered lockdown mode are lost. The system assigns the administrator role to all users who are found in the DCUI.Access advanced option to guarantee that the host remains accessible. To retain permissions, disable lockdown mode for the host from the vSphere Web Client before the upgrade.

Tuesday, 24 May 2016

Why Memory reclamation:ESXi supports memory over commitment in order to provide higher memory utilization and higher ratio of consolidation. In order to effectively support memory over commitment, the hypervisor provides efficient host memory reclamation techniques.ESXi uses several techniques to reclaim virtual machine memory, which are:

Do check the links for detailed discussion about each of these techniques.Now the question is, when do these techniques are running, is it always? is it at specific threshold? So lets explore that too.Which memory reclamation technique is active will depend upon which memory state is active currently. Following are the possible memory states in vSphere.

High

Clear (New in vSphere 6 onward)

Soft

Hard

Low

I have explained these states in another article on Sliding scale methodBelow chart explains which memory reclamation technique will be active considering which memory state is active.

NOTE: As we all know that vSphere 6 onward, TPS is by default turned OFF. However, if you enable it, the TPS runs always
and tries to share memory pages like what we had in old versions of
ESXi but this is applicable only on small memory pages i.e. 4KB pages.

When available free memory is less than High state but more then Clear state as in chart above then ESXi will start preemptively breaking up
large pages so that TPS (If enabled in vSphere 6) can collapse them at next run cycle.

If the amount of available free memory is bit less than the
Min.FreePct threshold as in chart above, the VMkernel applies ballooning to reclaim
memory.

The ballooning memory reclamation technique introduces the least
amount of performance impact on the virtual machine by working together
with the Guest operating system inside the virtual machine, however
there is some latency involved with ballooning.

Compression helps
to avoid hitting the low state without impacting virtual machine
performance, but if memory demand is higher than the VMkernels’s ability
to reclaim, drastic measure of Hypervisor swapping is taken to avoid memory exhaustion.

However, hypervisor swapping will introduce VM performance degradation's due to issues like high latancy rate, paging/double paging. For this reason this reclamation technique is used when situation require drastic measurements.

This post completes the series of posts on Memory reclamation. Lets explore something new in upcoming posts. I hope you enjoyed the series. :)

Monday, 23 May 2016

A shared mailbox is one of the recipient type in exchange that doesn’t have its own user name and password. Due to this, users can’t log into it them directly.

To access a shared mailbox, users must first be granted Send As or Full Access permissions to the mailbox. Once that’s done, users sign into their own mailboxes and then access the shared mailbox by adding it to their Outlook profile.

Shared
mailboxes makes it easy for a group of people in your company to
monitor and send email from a common account, such as info@example.com
or support@example.com.

When a person in the group replies to a message
sent to the shared mailbox, the email looks like it was sent by the
shared mailbox, not from the individual user.

Before I talk about sliding scale method, lets discuss about MEM.MINFREEPCT value. Eventually this discussion will lead us to understanding sliding scale method.

What is mem.minfreepct value?

MinFreePct
determines the amount of memory that the VMkernel should keep
free. This threshold is further subdivided in multiple memory thresholds i.e.
High, Clear (New in vSphere 6), Soft, Hard and Low. These Memory thresholds are also called as Memory states, and it is introduced to
prevent performance and
correctness issues.

MinFreePct is not a fixed number instead it is calculated using
sliding scale method and the value will depend on the host memory
configuration.

Below table helps us to calculate the Minfreepct value.

Let us understand sliding scale calculation of mem.minfreepct with an example.

Lets say I have 100GB of memory in ESXi host.

So from the
first 4GB of memory we will set aside 6% of 4GB which is equal to 245MB.

For
the second range of 4-12GB, i.e.8GB, we will set aside another 4% of 8GB which is equal to 327MB.

For the third range of 12-28GB, i.e.16GB, we will set aside 2% of 16GB which is equal to 327MB.

Now from the remaining 72GB (i.e. 100GB host – 28GB) on my ESXi host, we will set aside
1% of 72 GB which is equal to 720MB.

In total, If I sum all memory that I kept aside across all ranges, the value of Mem.MinFree is equal to1619MB. So the 1619MB of Memory, is being kept free for the system.

Now, when the ESXi host has less than 1619MB of free memory,
various memory reclamation techniques come in to play like High, Clear, Soft, Hard, and Low.

Memory states and their thresholds:

We referred something about different memory states earlier in this article. So in vSphere 6.0 onward, we have five memory states as listed below.

High

Clear (New in vSphere 6.0)

Soft

Hard

Low

These memory states are active as per the threshold value. Below table helps us to understand at which threshold these memory state are active.

Based on which memory state is active, respective memory reclamation techniques will kick in. I will talk more about it in another article.

The soft and hard thresholds are related to virtual machine
performance and memory starvation prevention.

The threshold for the low state protects the VMkernel layer from PSOD issues caused from memory
starvation.

The VMkernel employs
more drastic memory reclamation techniques when it approaches the Low
state

Sunday, 22 May 2016

ESXi employs hypervisor swapping to reclaim memory, if other memory reclamation techniques like ballooning, transparent page sharing, and memory compression are not sufficient to reclaim memory.

Transparent Page Sharing (TPS) speed is dependent of possibility to share memory pages, another reclamation technique of ballooning also depends on guest operating system response for memory allocation. Due to all this, these techniques may take time to reclaim memory.

Unlike other techniques, Hypervisor swapping is a guaranteed technique to reclaim a specific amount of memory within a specific amount of time.

At virtual machine start up, the hypervisor creates a separate swap file for the virtual machine (.vswp) inside virtual machine folder by default unless changed the swap file location. This file is used by hypervisor to directly swap out virtual machine physical memory to the swap file. This frees host physical memory and can be used by other virtual machines.

However, hypervisor swapping is used as a last resort to reclaim memory from the virtual machine as there will be performance impact on virtual machine due to some of known issues as listed below.

Memory compression: To reduce the amount of pages that need to be swapped out while reclaiming the same amount of host memory. For more details on how compression work, do check my other article on the same.

SSD Swapping: If an SSD device is installed in the host, we can choose to configure a host SSD Cache.Using swap to host cachedoes not means placing regular swap files
on SSD-backed datastores. Even if you enable swap to host cache, the
host still needs to create regular swap files. ESXi will use the host cache (SSD) to store the swapped out pages first instead of putting them directly in the regular hypervisor swap file (.vswp). Upon the next access to a page in the host cache, the page will be pushed back to the guest memory and then removed from the host cache. Since SSD read latency, which is normally around a few hundred microseconds, is much faster than typical disk access latency, this optimization significantly reduces the swap-in latency and hence greatly improves the application performance in high memory over commitment scenarios.

How SSD Swap works?

Multiples of 1GB sized .vswp file chunks will be created inside SSD swap. As shown in below figure, 10GB SSD has ten .vswp files created inside it. These files can be seen by browsing the datastore. These .vswp files are not specific to VMs like one we have in shared storage. Each VM has its own regular .vswp in shared storage inside their specific VM folders. However, the .vswp files inside SSD swap will be shared by virtual machines whenever there is need for swapping.

Before we install Microsoft Exchange Server 2016, we need to prepare Active Directory forest and its domains. This step is required so that exchange 2016 can store information about your user’s mailboxes and the configuration of Exchange servers.

There are a couple of ways we can prepare Active Directory for Exchange.

The first option is to let the Exchange 2016 Setup wizard do it during setup. This approach is more suitable if we are doing small deployment and there are no separate teams to manage the servers.

The Second option is what as described in below detailed procedure.

NOTE: The account we use to perform these steps will need to be a member of both the Schema Admins and Enterprise Admins security groups.

Extend the Active Directory schema:Before we extend your schema:

The account you're logged in must be a member of the Schema Admins and Enterprise Admins security groups.

The computer where you'll run the command to extend the schema needs to be in the same Active Directory domain and site as the schema master.

If you use the DomainController parameter, make sure to use the name of the domain controller that's the schema master.

The only way to extend the schema for Exchange is to use use Exchange 2016 Setup wizard or the process we are discussing in this article. Other ways of extending the schema are not supported.

Steps to extend Schema:

Open a Windows Command Prompt window and navigate to the Exchange installation files location.

Run the following command to extend the schema.

Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

NOTE: Once schema is extended, wait for Active Directory to replicate the changes to all domain controllers. We can check replication status using the Repadmin tool.

Prepare Active Directory:

Once Schema extension is completed successfully, we can move to next step to prepare AD. In this process, Exchange will create containers, objects, and other items in Active Directory that will be used to store information.

The collection of all of the Exchange containers, objects, attributes, and so on, is called the Exchange organization.

Before we prepare Active Directory for Exchange:

The account you're logged in as needs to be a member of the Enterprise Admins security group.

The computer where we'll run the command needs to be in the same Active Directory domain and site as the schema master. It'll also need to contact all of the domains in the forest on TCP port 389.

Wait until Active Directory has replicated the changes made in step 1 to all of your domain controllers before you do this step.

Exchange Organization Name:

We need to provide name for the Exchange organization during this step. This name is used internally by Exchange. The name of the company where Exchange is being installed is often used for the organization name. We can name it anything we want, provided that we follow below conditions:

Organization Name cannot be blank.

Any uppercase or lowercase letters from A to Z.

Numbers 0 to 9.

Spaces. However not at the beginning or end of the name.

Hyphen or dash in the name.

The name can be up to 64 characters.

The name can't be changed after its set.

Steps to Prepare AD:

Open a Windows Command Prompt window and navigate to Exchange installation files location.

Once AD preparation is completed, wait for Active Directory to replicate the changes to all domain controllers. We can use Repadmin to check the replication status.

Prepare Active Directory domains

The final step to prepare AD for Exchange is to prepare each of the Active Directory domains where Exchange will be installed.

We can skip this step if we have just one domain as previous step of PrepareAD already prepared the domain for us.

This step creates additional containers and security groups, and sets permissions so that Exchange can access them.

If we have multiple domains in your Active Directory forest, we have a couple of choices in how we can prepare them as listed below.

/PrepareAllDomains

/PrepareDomain

PrepareAllDomains:

This parameter will prepare every domain for Exchange in Active Directory forest. Steps toOpen a Windows Command Prompt window and go to where you downloaded the Exchange installation files.Run the following command:

Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms

PrepareDomain:

With this parameter we need to include the fully qualified domain name (FQDN) of the domain we want to prepare.

NOTE: We need to prepare every domain where an Exchange server will be installed. We will also need to prepare any domain that'll contain mail-enabled users, even if those domains do not contain any Exchange servers.

2. Run the following command with the FQDN of the domain we want to prepare. We don't have to include the FQDN if we are preparing the domain where we are executing the command.

3. Setup.exe /PrepareDomain:<FQDN of the domain to prepare> /IAcceptExchangeServerLicenseTerms

4. Repeat the steps for each Active Directory domain where we will install an Exchange server or where mail-enabled users will be located.

How to verify installation:

We can use a tool called Active Directory Service Interfaces Editor (ADSI Edit). ADSI Edit is included as part of the Active Directory Domain Services Tools feature in Windows Server 2012 R2 and Windows Server 2012.